The high stakes world of bank cyber security can take inspiration from the traditional bank vault. In pre-cyber days, once the first bank in town installed one of those solid, gleaming fortresses, a new business was born: selling access to the bank’s secure infrastructure.
Now cyberbanking is where the money is and banks have no choice but to build up defenses against cyber intrusions. As they do, they can convert their new security infrastructure to value for their customers, beyond its defensive purposes.
Threats to cybersecurity are growing more numerous and costly. The FBI reported an 84% increase in cyber threat cases investigated since 2002. In a recent cyber heist that hit 27 countries, $45 million vanished in just hours. The cost of a cyber intrusion is estimated at $5.4 million for U.S. companies. Security is the second highest area where banks plan to spend increased IT dollars.
Traditional perimeter defenses no longer work because the perimeter can no longer be defined and because the business of banking requires customers and suppliers to be invited inside the perimeter. As one bank security official explained, “It’s great that we can let our biggest treasury management customer see his entire company’s banking relationship on our site from any country and transfer mind-boggling sums around the world in real time. But for me, that ratchets up the cost of a single intrusion. For criminals, it ratchets up the payoff, and they know it.”
Next Generation Jump
By and large, the banking industry is doing a good job fending off known and knowable threats, such as distributed denial-of-service attacks. But in the future, banks will be held responsible for things that are not even on their radar today. Asking, “Two years from now, where will criminals come at me, and how do I prevent them?” is the wrong question. It pre-supposes a strategy that is unlikely to be sustainable: beating the criminals to the next point of vulnerability, constantly trying to understand new threats, constantly plugging the holes in the existing architecture and hiring more people to write more security code every time you add something to your cyber network.
A strategy more suited to today’s environment would acknowledge instead the need for a fundamentally different defense. The right question is not, “What do we add and where?” but, “How do we skip incremental improvements and go straight to the next generation of solutions?”
Here’s what skipping a generation might look like: the strategy employed in military environments, where they simply make their remote devices undetectable via “cloaking.” This automated and non-disruptive process allows assets (servers, PCs, mobile devices) with common interests to be securely grouped together. Cryptographic keys are then exchanged between members of the group which allows communication and renders the device “undetectable” to all others.
In the banking version, endpoints and transactions are rendered undetectable; they never become targets. The hacker advantage – finding a device, honing in on it and gradually breaking down its defenses while its owner is unaware – evaporates entirely. They can’t hack what they can’t see.
Imagine being confident that your bank can give your end users everything they are authorized to receive, without potential intruders even being aware that an exchange is taking place. Like the first bank in an old West town to install a vault, the bank that protects itself from thieves this way is infinitely more appealing to its customers. With that profound advantage in hand, the protected bank can take other measures in the interest of their customers, for example: easing access for low-risk transactions, making superior security a sales tactic for skittish prospects and saving customers the high costs of rip-and-replace.
While the bank needs to be capable of extremely high levels of security, not all customers need the highest level. Spending security dollars wisely means recognizing the distinctions between customers. Even the military reserves its heaviest layer of security for the most sensitive intel and ops, not for recruiting or social programs. For banks, obvious distinctions would be between a mobile purchase at Starbucks and the portfolio of a wealth management client. But in between are endless gradations where it is essential to know the risk, the value of the customer and how customers see the risk. The bank’s security apparatus needs to be flexible enough so that security levels can be adjusted quickly as threats appear and threat levels rise or fall.
Banks can then use the security of their transaction apparatus to attract new clients and retain those they have. It’s an important time to seize that advantage. Boston Consulting Group estimates that by 2020, bank revenue in transaction banking will near $500 billion. Early movers who can legitimately claim superior security will be hard to compete against and hard to dislodge once in place.
Finally, using superior security saves banks money, it’s that hidden price tag of constantly upgrading technology, the rip-and-replace cost. When companies strip out solutions that were installed at great expense and fanfare, they lose more than just the old solution. There’s a potential credibility loss with customers, customer disruption, uncertainty, delay, and even added risk as the gaps get reclosed. A cloaking solution makes rip-and-replace unnecessary, leaving customers undisturbed while improving their security, and saving the bank the cost of replacement solutions.
As cybersecurity becomes what experts call an “existential” issue for banks, meaning their very existence is at stake, every bank has to ask, “What are our crown jewels? What is the most important information or asset that we must protect?” Having done so, they will see the competitive value of switching from a passive perimeter defense to a proactive, all-encompassing shield.
Mr. Olson is vice president, Global Financial Services, and Mark Feverston is vice president, Data Security Solutions, of Blue Bell, Penn.-based Unisys Corp. They can be reached at [email protected] and [email protected].
